Cybersecurity researchers have uncovered a novel malware marketing campaign that leverages Google Sheets as a command-and-control (C2) mechanism.
The exercise, detected by Proofpoint beginning August 5, 2024, impersonates tax authorities from governments in Europe, Asia, and the U.S., with the objective of concentrating on over 70 organizations worldwide by the use of a bespoke software referred to as Voldemort that is geared up to assemble data and ship further payloads.
Focused sectors embody insurance coverage, aerospace, transportation, academia, finance, expertise, industrial, healthcare, automotive, hospitality, vitality, authorities, media, manufacturing, telecom, and social profit organizations.
The suspected cyber espionage marketing campaign has not been attributed to a selected named risk actor. As many as 20,000 e-mail messages have been despatched as a part of the assaults.
These emails declare to be from tax authorities within the U.S., the U.Okay., France, Germany, Italy, India, and Japan, alerting recipients about modifications to their tax filings and urging them to click on on Google AMP Cache URLs that redirect customers to an intermediate touchdown web page.
What the web page does is examine the Person-Agent string to find out if the working system is Home windows, and in that case, leverage the search-ms: URI protocol handler to show a Home windows shortcut (LNK) file that makes use of an Adobe Acrobat Reader to masquerade as a PDF file in an try and trick the sufferer into launching it.
“If the LNK is executed, it would invoke PowerShell to run Python.exe from a 3rd WebDAV share on the identical tunnel (library), passing a Python script on a fourth share (useful resource) on the identical host as an argument,” Proofpoint researchers Tommy Madjar, Pim Trouerbach, and Selena Larson stated.
“This causes Python to run the script with out downloading any recordsdata to the pc, with dependencies being loaded instantly from the WebDAV share.”
The Python script is designed to assemble system data and ship the info within the type of a Base64-encoded string to an actor-controlled area, after which it exhibits a decoy PDF to the person and downloads a password-protected ZIP file from OpenDrive.
The ZIP archive, for its half, incorporates two recordsdata, a official executable “CiscoCollabHost.exe” that is vulnerable to DLL side-loading and a malicious DLL “CiscoSparkLauncher.dll” (i.e., Voldemort) file that is sideloaded.
Voldemort is a customized backdoor written in C that comes with capabilities for data gathering and loading next-stage payloads, with the malware using Google Sheets for C2, knowledge exfiltration, and executing instructions from the operators.
Proofpoint described the exercise as aligned to superior persistent threats (APT) however carrying “cybercrime vibes” owing to the usage of methods standard within the e-crime panorama.
“Menace actors abuse file schema URIs to entry exterior file sharing sources for malware staging, particularly WebDAV and Server Message Block (SMB). That is accomplished by utilizing the schema ‘file://’ and pointing to a distant server internet hosting the malicious content material,” the researchers stated.
This strategy has been more and more prevalent amongst malware households that act as preliminary entry brokers (IABs), akin to Latrodectus, DarkGate, and XWorm.
Moreover, Proofpoint stated it was in a position to learn the contents of the Google Sheet, figuring out a complete of six victims, together with one which’s believed to be both a sandbox or a “recognized researcher.”
The marketing campaign has been branded uncommon, elevating the likelihood that the risk actors solid a large internet earlier than zeroing in on a small pool of targets. It is also attainable that the attackers, possible with various ranges of technical experience, deliberate to contaminate a number of organizations.
“Whereas most of the marketing campaign traits align with cybercriminal risk exercise, we assess that is possible espionage exercise carried out to assist as but unknown ultimate aims,” the researchers stated.
“The Frankensteinian amalgamation of intelligent and complex capabilities, paired with very primary methods and performance, makes it tough to evaluate the extent of the risk actor’s functionality and decide with excessive confidence the last word targets of the marketing campaign.”
The event comes as Netskope Menace Labs uncovered an up to date model of the Latrodectus (model 1.4) that comes with a brand new C2 endpoint and provides two new backdoor instructions that enable it to obtain shellcode from a specified server and retrieve arbitrary recordsdata from a distant location.
“Latrodectus has been evolving fairly quick, including new options to its payload,” safety researcher Leandro Fróes stated. “The understanding of the updates utilized to its payload permits defenders to maintain automated pipelines correctly set in addition to use the data for additional trying to find new variants.”